Are hardware makers doing enough to keep Android phones secure?

For all the good of Android’s open-source approach, one of the clear and consistent downsides is that the onus to issue software updates falls on the manufacturer. That can mean frustration for those waiting for the latest and greatest feature updates — and in some cases, it can put your phone at risk with delayed or missed security updates.

A pair of researchers at Security Research Labs recently shared a study with Wired highlighting some of these risks. The team’s findings are the result of testing 1,200 Android handsets from all the major manufacturers over the course of two years, examining whether manufacturers had offered the security patches as advertised.

According to SRL, missed security patches were discovered on a wide range of different handsets across manufacturers. Sony and Samsung were both flagged as having missed some security patches — in some cases in spite of reporting that they were up to date. “It’s almost impossible for the user to know which patches are actually installed,” one of the researchers told the site.

Xiaomi, Nokia, HTC, Motorola and LG all made the list, as well, while TCL and ZTE fared the worst in the study, with, on average, not having installed more than four of the patches they claimed to have installed on a given device.

In a statement provided to TechCrunch, Google pointed to the importance of various different means used to secure the Android ecosystem. The company believes that the SRL findings might not tell the full story when it comes to keeping devices secure.

“We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem,” the company writes. “We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”

The company also pointed us to this year in review post, which sheds a bit more light on the matter.